Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
5
Helpful
1
Replies

DOT1X/MAB/GUESTAUTH

gcook0001
Level 1
Level 1

‎11-09-2021 10:08 AM

I have been working to try and get this working.   I am not sure what is missing but here is what I am trying to do.

DOT1X = vlan 29

MAB = voice vlan 31

GUESTAUTH = vlan 37

I have been working on this for a number of weeks now with varied success.

The phone connects properly using MAB

The company computer connects properly using DOT1X using a certificate

I have issues with the guest computer.

This morning I came in and tried the guest computer which was plugged in to an IP phone.   The consent page popped up and I entered the username for it and everything worked.  The vlan changed to 37 and the computer got a dhcp address from the subnet.   

I then unplugged the guest computer and connected the company computer and it worked properly.

I then went back to the guest computer and the network stayed on vlan 29 instead of switching to 37 and I didn't get asked to authenticate

I then took the guest computer to a different switchport and when I plugged it in the network stayed on vlan 29 and I didn't get prompted for authentication.

The two ports are configured the same using a template.   

 

parameter-map type webauth WEBAUTH_CONSENT

 type webconsent

!

service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

linksec policy must-secure

service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE

linksec policy should-secure

service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

voice vlan

service-template GUEST_VLAN

vlan 37

service-template EMPLOYEE_CRITICAL_AUTH_ACCESS

vlan 29

!

class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST

 match result-type aaa-timeout

 match authorization-status authorized

!

class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST

 match result-type aaa-timeout

 match authorization-status unauthorized

!

class-map type control subscriber match-all DOT1X_FAILED

 match method dot1x

 match result-type method dot1x authoritative

!

class-map type control subscriber match-all DOT1X_NO_RESP

 match method dot1x

 match result-type method dot1x agent-not-found

!

class-map type control subscriber match-any IN_CRITICAL_AUTH

 match activated-service-template CRITICAL_AUTH_ACCESS

 match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

 match activated-service-template EMPLOYEE_CRITICAL_AUTH_ACCESS

!

class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH

 match activated-service-template CRITICAL_AUTH_ACCESS

 match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

 match activated-service-template EMPLOYEE_CRITICAL_AUTH_ACCESS

!

no class-map type control subscriber match-all MAB_FAILED

 match method mab

 match result-type method mab authoritative

!

policy-map type control subscriber PORT-AUTH-POLICY

 event session-started match-all

  10 class always do-until-failure

   10 authenticate using dot1x priority 10

 event authentication-failure match-first

  5 class DOT1X_FAILED do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure

   10 clear-authenticated-data-hosts-on-port

   20 activate service-template EMPLOYEE_CRITICAL_AUTH_ACCESS

   30 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE

   40 authorize

   50 pause reauthentication

  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure

   10 authorize

   20 pause reauthentication

  30 class DOT1X_NO_RESP do-until-failure

   10 terminate dot1x

   20 authenticate using mab priority 20

   30 authorize

  40 class MAB_FAILED do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 authenticate using webauth parameter-map CONSENT

   40 activate service-template GUEST_VLAN

  60 class always do-until-failure

   10 terminate dot1x

   20 terminate mab

   30 terminate webauth

   40 authentication-restart 60

 event agent-found match-all

  10 class always do-until-failure

   10 terminate mab

   20 terminate webauth

   30 authenticate using dot1x priority 10

 event aaa-available match-all

  10 class IN_CRITICAL_AUTH do-until-failure

   10 clear-session

  20 class NOT_IN_CRITICAL_AUTH do-until-failure

   10 resume reauthentication

 event inactivity-timeout match-all

  10 class always do-until-failure

   10 clear-session

 event authentication-success match-all

  10 class always do-until-failure

 event violation match-all

  10 class always do-until-failure

!

template DEFAULT_PORT_TEMPLATE

 dot1x pae authenticator

 dot1x timeout quiet-period 10

 dot1x timeout tx-period 3

 dot1x timeout supp-timeout 10

 dot1x max-req 10

 dot1x max-reauth-req 1

 switchport access vlan 29

 switchport mode access

 switchport voice vlan 31

 device-tracking attach-policy IPDT_POLICY

 mab

 access-session port-control auto

 authentication periodic

 authentication timer reauthenticate server

 service-policy type control subscriber PORT-AUTH-POLICY

!

interface GigabitEthernet1/0/15

 description DEER BOARDROOM

 switchport mode access

 device-tracking attach-policy IPDT_POLICY

 source template DEFAULT_PORT_TEMPLATE

 spanning-tree portfast

!

interface GigabitEthernet2/0/21

 description Gord Desk

 switchport mode access

 device-tracking attach-policy IPDT_POLICY

 source template DEFAULT_PORT_TEMPLATE

 spanning-tree portfast

 

Labels:
0 Helpful
1 Reply 1

thomas
Cisco Employee
Cisco Employee

‎12-04-2021 01:48 PM

Access control behavior of your computers is mediated by the IP Phone. Many older phones did not have an EAP-over-LAN Logoff so it would not know that you disconnected your Employee computer and connected the Guest computer because the IP phone maintains the Ethernet link so the switchport has no idea if and when the computer on the Data VLAN has been disconnected.  EAPoL-Logoff solves this.

Alternatively, is the switchport detecting when your Guest computer is plugged in?  If you turn on debugs is the switchport detecting DHCP ARPs and triggering a RADIUS request?

 

In general we do not recommend dynamic VLANs because changing an endpoint's VLANs after an initial DHCP request may cause it to be orphaned with an old IP in an new VLAN. Windows has gotten better about this over the years but it is a very real issue with IOT devices.

Also, using named VLANs is better in your ISE policy so as you scale you don't care about which VLAN # is the Guest VLAN in site A vs site B. It's just "GUEST_VLAN" and the switch will apply the appropriate local VLAN.

Customers Also Viewed These Support Documents